refactor: align backend layout and supabase infra

Consolidate backend modules/tests under the backend package while syncing Supabase compose/env config and related plans.

backend/alembic/versions/20260205_create_profiles_table.py

@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import sqlalchemy as sa
+from alembic import op
+from sqlalchemy.dialects import postgresql
+
+
+revision = "20260205_create_profiles_table"
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "profiles",
+        sa.Column("id", postgresql.UUID(as_uuid=True), nullable=False),
+        sa.Column("username", sa.String(length=30), nullable=False),
+        sa.Column("display_name", sa.String(length=50), nullable=True),
+        sa.Column("avatar_url", sa.Text(), nullable=True),
+        sa.Column("bio", sa.String(length=200), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint("id", name="pk_profiles"),
+        sa.UniqueConstraint("username", name="uq_profiles_username"),
+    )
+    op.create_index("ix_profiles_username", "profiles", ["username"])
+    op.create_index("ix_profiles_deleted_at", "profiles", ["deleted_at"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_profiles_deleted_at", table_name="profiles")
+    op.drop_index("ix_profiles_username", table_name="profiles")
+    op.drop_table("profiles")

backend/alembic/versions/85d25a191d06_enable_rls_security_policies.py

@@ -0,0 +1,86 @@
+"""enable_rls_security_policies
+
+Revision ID: 85d25a191d06
+Revises: 20260205_create_profiles_table
+Create Date: 2026-02-05 15:08:33.430692
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+
+
+# revision identifiers, used by Alembic.
+revision: str = "85d25a191d06"
+down_revision: Union[str, Sequence[str], None] = "20260205_create_profiles_table"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Enable RLS security policies.
+
+    Security measures:
+    1. Revoke anon role access to alembic_version (internal table)
+    2. Enable RLS on profiles table
+    3. Add defensive policies for profiles (deny all public access by default)
+
+    Architecture:
+    - Backend uses service_role connection (bypasses RLS)
+    - RLS provides defense-in-depth security layer
+    - Prevents accidental direct PostgREST access
+    """
+
+    # 1. Revoke anon role access to alembic_version table
+    op.execute("REVOKE ALL ON TABLE public.alembic_version FROM anon")
+    op.execute("REVOKE ALL ON TABLE public.alembic_version FROM authenticated")
+
+    # 2. Enable RLS on profiles table
+    op.execute("ALTER TABLE public.profiles ENABLE ROW LEVEL SECURITY")
+
+    # 3. Add defensive policies for profiles table
+    # These policies deny all public access by default
+    # Backend service_role connection bypasses these policies
+
+    # Deny all SELECT operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_select ON public.profiles "
+        "FOR SELECT TO anon, authenticated USING (false)"
+    )
+
+    # Deny all INSERT operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_insert ON public.profiles "
+        "FOR INSERT TO anon, authenticated WITH CHECK (false)"
+    )
+
+    # Deny all UPDATE operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_update ON public.profiles "
+        "FOR UPDATE TO anon, authenticated USING (false) WITH CHECK (false)"
+    )
+
+    # Deny all DELETE operations for anon and authenticated roles
+    op.execute(
+        "CREATE POLICY profiles_deny_public_delete ON public.profiles "
+        "FOR DELETE TO anon, authenticated USING (false)"
+    )
+
+
+def downgrade() -> None:
+    """Rollback RLS security policies."""
+
+    # 1. Drop all policies on profiles table
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_select ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_insert ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_update ON public.profiles")
+    op.execute("DROP POLICY IF EXISTS profiles_deny_public_delete ON public.profiles")
+
+    # 2. Disable RLS on profiles table
+    op.execute("ALTER TABLE public.profiles DISABLE ROW LEVEL SECURITY")
+
+    # 3. Re-grant default privileges to anon role on alembic_version
+    # (reverting to Alembic's default behavior)
+    op.execute("GRANT SELECT ON TABLE public.alembic_version TO anon")
+    op.execute("GRANT SELECT ON TABLE public.alembic_version TO authenticated")